Every website accepting credit card information must perform a quarterly scan of their ecosystem and submit it to the acquiring bank. On failing to do so, you most probably lose your license to accept and process credit card information, which, in turn, could be catastrophic for your business considering the popularity of using debit and credit cards.
Now, talking about the PCI scans, there are 3 types of scans which are the following:
External scan means scanning all the IP addresses/ranges that are public-facing on your network. These addresses/ranges need to be scanned on a quarterly basis.
Internal scan refers to your internal environment and the safeguards you have in place. This scan ensures that things are in proper position and are working appropriately.
Application scans are a must if you’re deploying public-facing web applications. Scanning of these websites needs to be done on a quarterly basis as well.